Software-defined networking (SDN) is an emerging network architecture that has gained much attention from academia and industry. The core idea of SDN is to decouple the network’s control and data planes, interconnecting them with a standard protocol, i.e. OpenFlow. The centralized control plane makes network management simple and efficient, while the decoupled architecture allows the two planes to evolve separately, enabling rapid innovations in network management. 

Despite these advantages, the SDN control plane fails to provide sufficient throughput. This
vulnerability could be exploited by malicious agents to initiate distribute denial-of-service (DDoS) attacks: the zombies can congest the control plane by sending a large number of forged
flow arrivals, causing network performance degradation and interruption. Traditional DDoS defense approaches focus on protecting the data plane, and are therefore ineffective in the
cases of SDN control plane DDoS attacks. Recently proposed schemes only partially solve the problems by scaling up the control planes using software-based switches, but do not ultimately
solve the problems caused by SDN control plane DDoS attacks. 

In this project, we propose SDNShield, a distributed and coordinated defense system against DDoS attacks on SDN control plane. The SDNShield workflow includes two stages. First, it uses an overlay network of software-based attack mitigation units (AMUs) to shield SDN switches from transient overload. Second, the smart filters in the AMUs can differentiate legitimate flows from forged ones using a statistics-based mechanism, protecting the entire control plane from persistent bombardment of attacks.

We will investigate the following research issues: (1) design of an efficient and effective coordination for the SDNShield system, and analysis of the coordination overhead; (2) the
vulnerability of AMUs and design of efficient defense mechanisms; (3) implementation of high-performance AMUs on commodity servers by leveraging the CPU core and thread level parallelism.

We will evaluate the performance of SDNShield in three phases. First, a real data-driven study to evaluate the anomaly detection accuracy (i.e., false positive and negative rates under different traffic characteristics) and algorithmic complexity. Second, an Mininet-based emulation to verify the software prototype’s functionality. Finally, a testbed to gain more understanding on hardware/software performances and possible constraints.